A global high-tech manufacturer had reached its boiling point after several of its sales reps left the company unexpectedly and took with them sales leads and other data to their new employers.
The company needed to stop the thefts before they happened. So the company hired several security analysts who manually looked at the behavior patterns for all sales reps working on its cloud-based CRM system, and then matched them with the behaviors of those who ultimately quit their jobs. What they were able to correlate was startling.
Sales reps that had shown a spike in abnormal system activity between weeks nine and 12 of a financial quarter generally quit at the end of week 13 – in many cases because they knew they weren’t going to meet their sales quotas, says Rohit Gupta, president of cloud security automation firm Palerra, which now works with the manufacturer.
[ ALSO ON CSO: A secure employee departure checklist ]
These abnormal behaviors included one or all of these warning signs -- doing mass exports of lead information, entering parts of the system where they don’t usually go, changing object information, deleting items, and doing any of these things from home or in the office on a Saturday afternoon.
With these early warning indicators, IT staff was able to put controls in place to stop massive downloads before they happened or freeze accounts for several hours until a manager had a chance to speak with the employee.
Today, cloud security automation tools make easier work of detecting these warning signs. “Predictive analytics is important, not just prevention or detection, but getting ahead of the curve,” says Gupta. Palerra’s LORIC is one of a handful of cloud security automation tools which has ventured into predictive analytics capabilities for the cloud on top of security configuration management, threat detection and automated incident response -- and it comes at a critical time.
A thriving economy means greater opportunity for job seekers, and therefore more job turnover. In May 2015, the US Bureau of Labor Statistics reported 4.7 million total employee separations, 2.7 million of which were “quits,” or voluntary separations initiated by the employee. But lately, it’s become easier for those employees to leave the company with more than just their 401K plan and a box of pens.
Employees are taking valuable company data with them that is stored in the cloud in CRM systems like Salesforce, collaboration tools such as Microsoft Office 365 or storage sites like Box and Dropbox.
[ ALSO ON CSO: Revamping your insider threat program ]
“It’s just so easy to access, download and transfer data these days – in fact, the company doesn’t even know it’s happening,” says Eric Chiu president of cloud security automation firm HyTrust. “On the flipside, it’s difficult to track” all the data that is out there and secure data against an authenticated user, he adds.
Half of all employees who left their posts in 2013 took company data with them, and 40 percent planned to use that data in their new job, according to a study by Symantec and the Ponemon Institute.
In January, Morgan Stanley fired one of its financial advisers after it accused him of stealing account data on about 350,000 clients, potentially one of the largest data thefts at a wealth management firm.
Predictive capabilities are available from just a handful of cloud security automation vendors today, and some analysts consider predictive analytics to be in the early stages.
“There’s potential but the practical applications are still a little immature,” says Jon Oltsik, senior principal analyst at Enterprise Strategy Group. “You can tune something to look for an attack that you know about, but what’s hard is to tune it to something you don’t know about. I can look at access patterns on repositories and how much people download and whether they save documents locally. But there’s always creative ways to work around that. A really dedicated, sophisticated adversary will quickly decipher where you’re not looking – and that’s the problem.” Or they will carry out a “low-and-slow” theft by regularly moving data to a repository over time, he adds.
Still, security automation vendors continue to add predictive analytics capabilities to their platforms. In July, Splunk acquired security company Caspida to add machine learning-based user behavioral analytics and extend its analytics-enabled SIEM to better detect advanced and insider threats.The Splunk platform can search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices.
Some users of cloud-based systems may choose to wait for predictive analytics to mature before taking the plunge. In the meantime, there are other ways to keep data from walking out the door with exiting employees, experts say.
Work with human resources
It's important for IT security managers to communicate with the human resources department so they are aware of pending layoffs or other personnel issues that might lead to employee departures. “You have to look at whatever data is available in their corporate environment, such as an HR data source. If an employee has a termination date or is being terminated for any reason, then you have to look at that person’s system activities with increased scrutiny,” says Andras Cser, vice president and principal analyst at Forrester Research, serving security and risk professionals.
Monitor third-party storage
Many companies have measures in place that will automatically stop unauthorized use of internal systems or keep users from downloading data, but what about cloud storage sites that are out of their direct control?
“You can have solutions like CloudLock, BetterCloud and others that tie to APIs of a cloud service like Dropbox, Box or Salesforce,” Cser says. “If the solution sees that I’m downloading 300-times the usual data volume that I normally look at, then it can send an alert.”
“Encrypt [sensitive] data so that if it’s taken offsite, then it is no longer useful. Controls, monitoring and data security on the inside can prevent bad things from happening,” Chiu says.
Cloud apps are typically siloed and not connected in the network, so it’s difficult to put controls in place across the board. “The result is – if there are separate owners responsible for managing Workday, Google Apps or Box, for instance, then those administrators have to do the right thing” and put the right monitoring and controls in place, Gupta says. “That’s all the more reason for cloud security automation. If you have a monitoring framework doing this 24/7 in an automated fashion, then the enterprise has someone to watch their back.”